-
Notifications
You must be signed in to change notification settings - Fork 40.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add 'server.remove-forward-headers' options #11525
Comments
An additional question is whether this property should be set by default. Doing so would cause applications that actually need to use forwarded headers to fail but the failure cause should be fairly obvious. The benefit is that it leads down a safer path of explicitly opting into the use of forwarded headers. Note also that setting the flag by default has the potential and likely will cause regression in applications that currently rely on forwarded headers implicitly, i.e. by virtue of using |
One thing bothers me, though. If that's really insecure and not obvious, why is that the default in Spring Framework? Shouldn't |
That's just it though, there is no way to toggle this on and off in the Spring Framework. The only option would be to stop consuming those headers. |
And that's what we intend to do in 5.1 https://jira.spring.io/browse/SPR-16668. |
Is this still an active issue that needs to be worked on? |
@sangeetha5491 Yes, although I don't think we know exactly what form that work should take just yet. |
Since SPR-16668, Spring applications don't rely on forwaded headers by default. As explained in the Spring Framework migration docs, you either need to enable the forwarded headers support at the server level (which is what Spring Boot provides) or configure a If we provide a
With that in mind, I think we should close this issue. If developers need to remove those headers for a specific reason, then creating a |
The team discussed this issue and we think that this is not useful. |
Enabling that option should create a
ForwardedHeaderFilter
option and remove Forwarded headers.This is especially useful if your application is looking at Forwarded headers even though it's not protected by a proxy (adding/removing those headers already).
See Rossen's comment in #10900 (comment) for more background about this.
The text was updated successfully, but these errors were encountered: